14 Jun
1997
14 Jun
'97
10:59 a.m.
On Fri, 13 Jun 1997, Captain Napalm wrote:
The first is via sendmail. There used to be a way to get into a debugging
mode and have sendmail run arbitrary commands, and since it often ran as
root, this was one way someone could break into a system. The debug mode of
sendmail is the "wizard" mode, but I came onto the e-mail scene just after
this hole was closed (after the Robert Morris Internet Worm of '88). I
don't know more than that, sorry.
sendmail wasn't part of Xenix in those days -- all networking aside from
uucp was extra, and mostly still being developed.
The second requires the Intel 386 Assembly and
assumes you have fingerd
running (has to be fingerd). What this entails is feeding the fingerd
program too much information, which overwrites the program stack. With
careful programming, the excess information can be code that will then run
arbitrary commands (since fingerd often runs as root). This will also
require you to know where in memory the executable is loaded into so you
provide a valid return address on the stack.
No fingerd, either. Or _any_ real networking daemons in Xenix at the
time.
If you don't have either of those, try finding
an interactive setuid root
program you can run, as it too, may be possible to overrun an input buffer.
No real holes that I remember from Xenix in that era -- amazingly secure
for a Unix port in those days.
There may be easier ways, I just don't know of
them offhand (do you have
access to another Xenix system? Could you mount your drives to it? Can you
boot MS-DOS on it (from the floppy)? If so, you might be able to use Norton
Utilities to scan the harddrive for the password file and modify it there
(and if not Norton, then some other low level disk editor program)).
Well, I know that the setuid hole in Profile 16 for Tandy 68000 Xenix
was never fixed. But filePro 16plus for the 386 version didn't have it.
Back when I broke into over half the Tandy 6000 systems in the Radio
Shack Area Training and Support Offices in 1986 (by invitation from
management -- I'm a hacker, not a cracker) my tools were lists of the
employees' names (works nine out of ten times) and knowledge of the
hole in Profile 16. Which I'd already published a fix for. (An
expanded version of which is available in CIS UNIXFORUM under the
filename SECURE.MS -- I'd delete it, but the account with authority to
do so is ancient history).
--
Ward Griffiths
"America is at that awkward stage. It's too late to work within
the system, but too early to shoot the bastards." --Claire Wolfe